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(54) PERSONAL AUTHENTICATION SYSTEM AND PORTABLE ELECTRONIC DEVICE HAVING 
PERSONAL AUTHENTICATION FUNCTION USING BODY INFORMATION 



(57) In a system (e.g., debit card) where a PIN is 
entered as verification, the PIN and biometric informa- 
tion, which is free of being stolen orfaked : are combined 
to realize secure user verification. The leakage and the 
theft of a PIN is reliably prevented, thereby realizing a 
high security ability. To-be-verified biometric feature da- 
ta is transmitted from first transceiving interface (205) 
of data processing device (200) to portable electronic 
device (300). Biometric feature data verifying section 
(306) of portable electronic device (300) compares the 
to-be-verified biometric feature data, which has been re- 
ceived by second transceiving interface (301 ), with valid 
biometric feature data. If a predetermined matching con- 
dition between the to-be-verified biometric feature data 
and the valid biometric feature data is satisfied, a PIN 
stored in portable electronic device (300) is transmitted 
from second transceiving interface (301) to manage- 
ment device (400) via first transceiving interface (205) 
of data processing device (200). 
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register from hundreds of bytes to 2 kilobytes of biomet- 
ric feature data in an !C card. A small-sized processor 
(CPU) built in an IC card allows the IC card to serve as 
a data processor. 

[0016] Existing processors for IC cards, however do s 
not have the ability to execute all the processing of bio- 
metric feature data. Thus : an IC card terminal (external 
data processing device) for accessing IC cards samples 
an object user's biometric information and it also ex- 
tracts therefrom biometric feature data (hereinafter 10 
called "to-be-verified biometric feature data") for use in 
user verification, and IC cards are devoted to the verifi- 
cation of the extracted biometric feature data (for exam- 
ple, see Japanese Patent Application Publication No. 
HEI 10-312459). More precisely, an IC card previously 15 
stores its authorized user's biometric feature data as 
valid biometric feature data. Upon receipt of to-be-veri- 
fied biometric feature data from the IC card terminal the 
IC card compares the to-be-verified biometric feature 
data with the valid biometric feature data, and then re- 20 
turns the comparison/verification result to the IC card 
terminal. 

[0017] Applying the relationship between the IC card 
and the IC card terminal to a client-server fingerprint ver- 
ification method, the IC card terminal corresponds to a 25 
client which extracts fingerprint features, and the IC card 
corresponds to a server which verifies the fingerprint 
feature data. The foregoing verification method using an 
IC card, however, differs from the client-server finger- 
print verification method in that, in the former method, 30 
the IC card, which meets the server of the latter method, 
is carried by a user as a highly tamper-resistant portable 
electronic device. Since biometric feature data verifica- 
tion and its subsequent processing are executed on the 
IC card which is carried by a user, not on a server which 35 
is managed by a third party, the former offers an advan- 
tage of ensuring user privacy. 

[0018] However, the foregoing combination between 
biometric information and an IC card still has problems 
to be solved. The problems are that to-be-verified bio- 40 
metric feature data is sent, as it is, from the IC card ter- 
minal to the IC card, and that a verification result is sent 
out from the IC card as an OK/NG signal (0/1 signal). 
As a result, no matter how the IC card is superior in 
tamper-resistant properties, there still remains the pos- 45 
sibility that the data transmitted/received between the 
IC card and the IC card terminal may be wrongfully ob- 
tained and used by third parties. In other words, the ex- 
isting combination between an IC card and biometric in- 
formation has not taken full advantage of the high so 
tamper-resistant property of a recent IC card. 
[0019] Accordingly, it has been expected that high se- 
curity ability will be guaranteed when to-be-verified bio- 
metric feature data is input to an IC card, and also when 
a verification result obtained within an IC card is sent ss 
out to an external apparatus. 

[0020] With the foregoing problems in view : one ob- 
ject of the present invention is to realize secure user ver- 



ification. The present invention is applied to a system 
(for example, debit cards) where the input of a PIN is 
requested as verification, making it possible to use PIN 
verification in association with biometric feature data, 
which is free of having been stolen or faked. The leak- 
age and theft of the PIN are thus reliably prevented, so 
that a high level of security can be guaranteed. 
[0021] Another object of the invention is to guarantee 
high security ability when to-be-verified biometric fea- 
ture data is input to portable electronic device, such as 
an IC card, and also when a verification result obtained 
within an IC card is sent out to an external apparatus, 
so that secure user verification is realized. 

DISCLOSURE OF THE INVENTION 

[0022] 

(1-1) In order to accomplish the above object, ac- 
cording to the present invention, there is provided 
a user verification system, comprising: a portable 
electronic device, which is adapted to be carried by 
a user; a data processing device for directly access- 
ing such portable electronic device which is tempo- 
rarily installed therein; and a management device 
which accesses the portable electronic device via 
the data processing device and verifies the user uti- 
lizing a personal identification number (PIN). 

The data processing device includes: a biomet- 
ric information measuring unit for measuring bio- 
metric information of the user; a biometric feature 
data extracting section for extracting to-be-verified 
biometric feature data from the biometric informa- 
tion, which has been measured by biometric infor- 
mation measuring unit; and a first transceiving in- 
terface for transmitting/receiving data to/from the 
portable electronic device and the management de- 
vice. 

The portable electronic device includes: a bio- 
metric feature data register section having pre- 
stored valid biometric feature data of an authorized 
user of the portable electronic device; a second 
transceiving interface for transmitting/receiving da- 
ta to/from the data processing device; a biometric 
feature data verifying section for comparing to-be- 
verified biometric feature data, which is received 
from an external device via the second transceiving 
interface, with the valid biometric feature data; and 
a PIN register section having a pre-stored PIN of 
the authorized user of the portable electronic de- 
vice. 

The to-be-verified biometric feature data is 
transmitted from the first transceiving interface of 
the data processing device to the portable electron- 
ic device, and the biometric feature data verifying 
section of the portable electronic device compares 
the to-be-verified biometric feature data, which has 
been received via the second transceiving inter- 
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ta verifying section compares/verifies the to-be-verified 
biometric feature data with valid biometric feature data. 
As the result of the comparison, if the to-be-verified bi- 
ometric feature data satisfies a predetermined matching 
condition with the valid biometric feature data, a PIN is 5 
transmitted to the management device. 
[0024] As aforementioned, according to the user ver- 
ification system of the item (1 -1 ), after a predetermined 
matching between the to-be-verified biometric feature 
data and the valid biometric feature data is confirmed, w 
the PIN stored in the portable electronic device is trans- 
mitted to the management device. Thus, it is no longer 
necessary to directly input a PIN to the data processing 
device with a ten-key pad, and the PIN only passes 
through the data processing device, so that the risk of ?5 
a PIN being stolen at its input can be minimized. Accord- 
ingly, with the present invention applied to a system (for 
example, debit cards) where a PIN is requested to be 
input as verification, it is possible to associate PIN ver- 
ification with biometric user verification using biometric 20 
feature data, which is free of being stolen or faked. The 
leakage and the theft of PINs are thus prevented with 
reliability, so that a high level of security can be guaran- 
teed, thereby realizing secure user verification. 
[0025] According to the user verification system of the 25 
foregoing item (1-2), the first encryption section of the 
data processing device encodes the to-be-verified bio- 
metric feature data using a public key, and the encoded 
data is transmitted to the portable electronic device. Up- 
on receipt of the encoded data, the decryption section 30 
of the portable electronic device decodes the data with 
a valid secret key to restore the original to-be-verified 
biometric feature data, and the biometric feature data 
verifying section performs comparison/verification. That 
is, the to-be-verified biometric feature data is encoded 35 
by a public key system before it is sent out from the data 
processing device to the portable device, and all the da- 
ta that was entered in the portable electronic device for 
user verification is decoded in the portable electronic de- 
vice. It is thus possible to prevent the inputting of any 40 
tampered to-be-verified biometric feature data, making 
it difficult for wicked persons to commit spoofing or iden- 
tity fraud, so that a high level of security is guaranteed. 
Further, even if the to-be-verified biometric feature data 
should be intercepted using a false portable electronic 45 
device (a false IC card, or the like), it is still difficult to 
wrongfully use such stolen biometric feature data in an- 
other system because the stolen biometric feature data 
is encoded data. Accordingly, a high level of security is 
guaranteed, and user verification can be performed with so 
secure. 

[0026] According to the user verification system of the 
foregoing item (1-3), all the data transmitted from the 
portable device to an external apparatus is encoded in 
the portable electronic device. More precisely, the sec- 55 
ond encryption section encodes a PIN using a public key 
for the management device before the PIN is transmit- 
ted from the portable electronic device to the manage- 



ment device. Accordingly, even if a PIN should be inter- 
cepted during its transmission from the portable device 
to an external apparatus, it is still difficult to falsely use 
the stolen PIN in another system because the thus 
wrongfully obtained PIN has been encoded, so that a 
higher level of security is guaranteed. 
[0027] According to the user verification system of the 
foregoing item (1-4), the magnetic data read-out unit 
reads out the information stored in the recording unit 
provided on the surface of the portable electronic de- 
vice, and the read-out information is transmitted to the 
management device along with a PIN. Accordingly, the 
user verification system of the forgoing item (1-4) is ap- 
plicable in a case where a type of IC card having a func- 
tion (magnetic stripes) of an existing magnetic card 
serves as a portable electronic device. 
[0028] According to the user verification system of the 
foregoing item (1-5), in the data processing device, a 
time stamp is generated as the date and time the to-be- 
verified biometric feature data was extracted, and the 
generated time stamp is attached to the to-be-verified 
biometric feature data, and is then transmitted to the 
portable electronic device. In the portable electronic de- 
vice, the user is authenticated if a predetermined match- 
ing condition is satisfied between the to-be-verified bio- 
metric feature data and valid biometric feature data, and 
also if the difference between the time stamp (the ex- 
traction date-and-time) and the current time falls within 
a predetermined range. Accordingly, even if to-be-veri- 
fied biometric feature data should be intercepted during 
its transmission from the date processing device to the 
portable electronic device, and even if the stolen feature 
data should be falsely used in a replay attack against 
the portable device, the difference between the time 
stamp (the extraction date-and-time) and the current 
time becomes significant. On the basis of such signifi- 
cant difference, it is possible to reject access attempts 
using such stolen to-be-verified biometric feature data, 
so that the security level of the system is significantly 
improved. 

[0029] According to the user verification system of the 
forgoing item (1-6), in the portable electronic device, if 
an object user is identified as the owner of the portable 
device, the PIN, together with the verification date-and- 
time (time stamp) obtained by the clock function section, 
is encoded by the second encryption section, and is then 
sent out to the management device. Thus, even if the 
PIN should be intercepted during its transmission from 
the portable device to the management device and then 
be wrongfully used, the management device, which 
monitors the verification date-and-time attached to the 
PIN, can recognize that a wrongfully obtained PIN is 
used, based on the difference between the verification 
date-and-time (time stamp) and the current time. Ac- 
cordingly, it is possible to reject access attempts using 
such a stolen PIN, so that the security level of the system 
is significantly improved. 

[0030] According to the user verification system of the 
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prohibit the input of biometric feature information to 
the portable electronic device, if the evaluation is 
made a predetermined number of times succes- 
sively., as a result of the comparison by the feature 
data verifying section., that the to-be-verified bio- 
metric feature data never matches the valid biomet- 
ric feature data in terms of the predetermined 
matching condition. 

(2-9) The portable electronic device further com- 
prises a management log recording section storing 
a management log of the PIN ; which management 
log accumulates the dates and times when the PIN 
was transmitted, or the descriptions of transactions 
performed, or both of these. 

[0033] According to the portable electronic device of 
the foregoing item (2-1) with a user verification function 
utilizing biometric information, upon receipt of the to-be- 
verified biometric feature data via the transceiving inter- 
face, biometric feature data verifying section compares/ 
verifies the to-be-verified biometric feature data with val- 
id biometric feature data. As the result of the compari- 
son, if predetermined matching requirements between 
the to-be-verified biometric feature data and the valid 
biometric feature data are satisfied, a PIN is transmitted 
to the management device. 

[0034] In this manner, according to the portable elec- 
tronic device of the item (2-1), after a predetermined 
matching between the to-be-verified biometric feature 
data and the valid biometric feature data is confirmed, 
the PIN stored in the portable electronic device is trans- 
mitted to the management device. Thus, it is no longer 
necessary to directly input the PIN with a ten-key pad, 
so that the risk of a PIN being stolen at its input can be 
minimized. Accordingly, with the present invention ap- 
plied to a system (for example, debit cards) where input 
of a PIN is requested as verification, it is possible to as- 
sociate PIN verification with biometric user verification 
using biometric feature data, which is free of being sto- 
len or faked. The leakage and the theft of the PIN are 
thus prevented with reliability, so that a high level of se- 
curity can be guaranteed, thereby realizing secure user 
verification. 

[0035] According to the portable electronic device of 
the foregoing item (2-2), after the decryption section re- 
stores the original to-be-verified biometric feature data 
using a valid secret key, the biometric feature data ver- 
ification section carries out a comparison/verification 
operation. In other words, the to-be-verified biometric 
feature data is encoded by a public key system, and is 
then input to the portable electronic device. All the data 
that was input to the portable device at the user verifi- 
cation performed, is decoded in the portable electronic 
device. It is thus possible to prevent any counterfeit to- 
be-verified biometric feature data from being entered, 
making it difficult for wicked persons to commit spoofing 
or identity fraud, so that a high level of security is guar- 
anteed. Further, even if the to-be-verified biometric fea- 



ture data should be intercepted using a false portable 
electronic device (a false IC card, or the like) , it is still 
difficult to wrongfully use such stolen biometric feature 
data in another system because the stolen biometric 
5 feature data is encoded data. Accordingly, a high level 
of security is guaranteed, and user verification can be 
performed with secure. 

[0036] According to the portable electronic device of 
the item (2-3), all the data transmitted from the portable 
10 device to an external apparatus is encoded in the port- 
able electronic device. More precisely, the encryption 
section encodes a PIN using a public key for the man- 
agement device before the PIN is transmitted from the 
portable electronic device to the management device. 
15 Accordingly, even if a PIN should be intercepted during 
its transmission from the portable device to an external 
apparatus, it is still difficult to falsely use the stolen PIN 
in another system because the thus wrongfully obtained 
PIN has been encoded, so that a higher level of security 

20 is guaranteed. 

[0037] According to the portable electronic device of 
the foregoing item (2-4), there is provided on the surface 
of the portable electronic device a recording unit storing 
magnetic data of the information which is for use in the 

25 processing made on the management device. Accord- 
ingly, the portable electronic device of the forgoing item 
(1 -4) is applicable in a case where an IC card equipped 
with a function (magnetic stripes) of an existing magnet- 
ic card serves as a portable electronic device. 

30 [0038] According to the portable electronic device of 
the foregoing item (2-5), as a result of the comparison 
by biometric feature data verification section, if the to- 
be-verified biometric feature data satisfies a predeter- 
mined matching condition with the valid biometric fea- 

35 ture data, and also if the difference between the time 
stamp (the extraction date-and-time) and the current 
time falls within a predetermined range, the object per- 
son is judged to be the authorized user of the portable 
electronic device. Accordingly, even if the to-be-verified 

*o biometric feature data should be intercepted during its 
transmission to the portable electronic device, and even 
if the stolen feature data should be falsely used in a re- 
play attack against the portable device, the difference 
between the time stamp (the extraction date-and-time) 

45 and the current time becomes significant. On the basis 
of such significant difference, it is possible to reject ac- 
cess attempts using such stolen to-be-verified biometric 
feature data, so that the security level of the system is 
significantly improved. 

50 [0039] According to the portable electronic device of 
the foregoing item (2-6), after the object user is judged 
to be the authorized user of the portable electronic de- 
vice, the PIN, together with the verification date-and- 
time (time stamp) obtained by the clock function section, 

55 is encoded by the encryption section, and is then trans- 
mitted to the management device. Thus, even if the PIN 
should be intercepted during its transmission from the 
portable device to the management device and then be 
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ized user of the portable electronic device., the sec- 
ond encryption section encodes at least one of the 
following items: the user information; the level of 
correlation between the to-be-verified biometric 
feature data and the valid biometric feature data, 
which correlation level is obtained at the compari- 
son; and the date and time of the comparison per- 
f ormed : which is provided by the clock function sec- 
tion, and the encoded item is sent out from the sec- 
ond transceiving interface to the data processing 
device as a verification result. 
(3-4) The data processing section further includes 
a message digest creating section for creating a 
message digest as a value obtained by inputting da- 
ta to be transferred to the portable electronic device 
to a predetermined one-way function. The message 
digest and the to-be-verified biometric feature data 
are both encoded by the first encryption section, 
and are then sent out from the first transceiving in- 
terface to the portable electronic device. If the user 
is identified as the authorized user of the portable 
electronic device, as the comparison result by the 
biometric feature data verifying section and the time 
stamp verifying section, the second encryption sec- 
tion encodes the message digest which has been 
restored by the decryption section, and the encoded 
message digest is sent out from the second trans- 
ceiving interface to the data processing device, as 
a verification result. 

(3-5) The portable electronic device further includes 
a verification log recording section storing the veri- 
fication result as a verification log for a predeter- 
mined time period. 

(3-6) Upon receipt of a predetermined signal via the 
second transceiving interface, the portable elec- 
tronic device transmits public key information of the 
authorized user, which public key information is reg- 
istered in the portable electronic device, from the 
second transceiving interface to an external device. 
(3-7) The user verification system furthercomprises 
a lock function section which is operable to prohibit 
input of biometric feature information to the portable 
electronic device, if the evaluation is made a prede- 
termined number of times successively, as a result 
of the comparison by the feature data verifying sec- 
tion of the portable electronic device, that the to-be- 
verified biometric feature data never matches the 
valid biometric feature data in terms of the prede- 
termined matching condition. 

[0043] According to the user verification system of the 
foregoing item (3-1), in the data processing device, the 
biometric information measuring unit measures biomet- 
ric information of an object user to be verified, and the 
biometric feature data extracting section extracts to-be- 
verified biometric feature data from the biometric infor- 
mation. The thus extracted to-be-verified biometric fea- 
ture data is encoded by the first encryption section using 



a public key, and is then transmitted from the first trans- 
ceiving interface to the portable electronic device. In the 
portable electronic device, upon receipt of the encoded 
data via the second transceiving interface, the decryp- 
5 tion section restores the original to-be-verified biometric 
feature data, and then, the biometric feature data veri- 
fying section compares/verifies the to-be-verified bio- 
metric feature data with valid biometric feature data. 
[0044] In this manner according to the user verifica- 
10 tion system of the foregoing item (3-1 ), the to-be-verified 
biometric feature data is encoded using a public key be- 
fore being transmitted from the data processing device 
to the portable electronic device. Thus, even if the to- 
be-verified biometric feature data should be intercepted 
f5 using a false portable electronic device (a false IC card, 
or the like), it is still difficult to falsely use such encoded 
biometric feature data in another system. Thus, a high 
level of security is guaranteed, and user verification can 
be carried out with secure. 
20 [0045] According to the user verification system of the 
foregoing item (3-2), in the data processing device, a 
time stamp is generated as the date and time the to-be- 
verified biometric feature data was extracted, and the 
generated time stamp is attached to the to-be-verified 
biometric feature data, and is then transmitted to the 
portable electronic device. In the portable electronic de- 
vice, the user is authenticated If a predetermined match- 
ing condition is satisfied between the to-be-verified bio- 
metric feature data and the valid biometric feature data, 
and also if the difference between the time stamp (the 
extraction date-and-time) and the current time falls with- 
in a predetermined range. Accordingly, even if to-be- 
verified biometric feature data should be intercepted 
during its transmission from the data processing device 
to the portable electronic device, and even if the stolen 
feature data should be falsely used in a replay attack 
against the portable device, the difference between the 
time stamp (the extraction date-and-time) and the cur- 
rent time becomes significant. On the basis of such sig- 
nificant difference, it is possible to reject access at- 
tempts using such stolen to-be-verified biometric fea- 
ture data, so that the security level of the system is sig- 
nificantly improved. 

[0046] According to the user verification system of the 
foregoing item (3-3), in the portable electronic device, if 
the object person is judged to be the authorized user of 
the portable device, the second encryption section en- 
codes at least one of the following items using a secret 
key: user information (e.g., account number); the level 
of correlation between the to-be-verified biometric fea- 
ture data and the valid biometric feature data; and the 
verification date-and-time (time stamp). The encoded 
item is then sent out to the data processing device as a 
verification result. That is, since the information about 
the verification result is encoded using a secret key, the 
issuer of the verification result can be certified. At that 
time, since the verification date-and-time (time stamp) 
is inserted into the verification result, it is possible to pre- 
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vided by the clock function section, the encoded 
item is sent out from the transceiving interface to 
the data processing device as a verification result. 
(4-4) If the user is identified as the authorized user 
of the portable electronic device : as the comparison 5 
result by the biometric feature data verifying section 
and the time stamp verifying section, and also if a 
message digest which is obtained by inputting data 
to be transferred to the portable electronic device 
to a predetermined one-way function, is attached to 10 
the original to-be-verified biometric feature data re- 
stored by the decryption section, the encoding sec- 
tion encodes the message digest, and the encoded 
message digest is then sent out from the transceiv- 
ing interface to the data processing device as a ver- is 
ification result. 

(4-5) The portable electronic device further includes 
a verification log recording section storing the afore- 
mentioned verification results as a verification log 
for a predetermined time period. 20 
(4-6) Upon receipt of a predetermined signal via the 
transceiving interface, the portable electronic de- 
vice transmits public key information of the author- 
ized user, which public key information is registered 
in the portable electronic device, from the transceiv- 25 
ing interface to an external apparatus. 
(4-7) The portable electronic device further com- 
prises a lock function section which is operable to 
prohibit biometric feature information from being in- 
put to the portable electronic device, if the evalua- 30 
tion is made a predetermined number of times suc- 
cessively, as the result of the comparison by the fea- 
ture data verifying section, that the to-be-verified bi- 
ometric feature data never matches the valid bio- 
metric feature data in terms of a predetermined 35 
matching condition. 

[0051] According to the portable electronic device 
with a user verification function utilizing biometric infor- 
mation of the foregoing item (4-1), upon receipt of en- 40 
coded data via the transceiving interface, the decryption 
section restores the original to-be-verified biometric fea- 
ture data, and then, the biometric feature data verifying 
section compares/verifies the to-be-verified biometric 
feature data with valid biometric feature data. 45 
[0052] In this manner, according to the portable elec- 
tronic device of the foregoing item (4-1 ), the to-be-veri- 
fied biometric feature data is encoded using a public key 
before it is transmitted from the data processing device 
to the portable electronic device. Thus, even if the to- so 
be-verif ied biometric feature data should be intercepted 
using a false portable electronic device (a false IC card, 
or the like), it is still difficult to wrongfully use such to- 
be-verified biometric feature data (encoded data) in an- 
other system. Thus, a high level of security is guaran- ss 
teed, and user verification can be performed with se- 
cure. 

[0053] According to the portable electronic device of 



the foregoing item (4-2), in a case where a time stamp, 
which indicates the date and time to-be-verified biomet- 
ric feature data was extracted, is attached to the to-be- 
verified biometric feature data, the object person is 
judged to be the authorized user of the portable elec- 
tronic device, if predetermined matching requirements 
between the to-be-verified biometric feature data and 
valid biometric feature data are met, and also if the dif- 
ference between the time stamp (extraction date-and- 
time) and the current time falls within a predetermined 
range. Accordingly, even if to-be-verified biometric fea- 
ture data to be input to the portable electronic device 
should be intercepted, and even if the stolen feature da- 
ta should be falsely used in a replay attack against the 
portable device, the difference between the time stamp 
(extraction date-and-time) and the current time be- 
comes significant. On the basis of such significant dif- 
ference, it is possible to reject access attempts using 
such stolen to-be-verified biometric feature data, so that 
the security level of the system is significantly improved. 
[0054] According to the portable electronic device of 
the foregoing item (4-3), after the object user is verified, 
the encryption section encodes at least one of the fol- 
lowing items using a secret key: user information (e.g., 
account number); the level of correlation between the 
to-be-verified biometric feature data and the valid bio- 
metric feature data; and the verification date-and-time 
(time stamp). The encoded item is then sent out to the 
data processing device as a verification result. That is, 
since the information about the verification result is en- 
coded using a secret key, the issuer of the verification 
result can be certified. At that time, since the verification 
date-and-time (time stamp) is inserted into the verifica- 
tion result, it is possible to prevent the verification result 
of the biometric feature data from being tempered or fal- 
sified. Accordingly, even when the result of the verifica- 
tion of biometric feature data, obtained within the port- 
able electronic device, is sent out to an external appa- 
ratus, a high level of security is guaranteed, thus realiz- 
ing secure user verification. At that time, since the level 
of correlation between the to-be-verified biometric fea- 
ture data and the valid biometric feature data is provided 
as a verification result., it is possible to manage a record 
of likelihood of the matches. 

[0055] According to the portable electronic device of 
the foregoing item (4-4), if the object user is judged to 
be the authorized user of the portable device, and also 
if a message digest is attached to the to-be-verified bi- 
ometric feature data, the massage digest is encoded by 
the encryption section using a secret key, before it is 
sent out to an external apparatus as a verification result. 
Resulting from this, similar effects and benefits to those 
already described in the portable electronic device of the 
foregoing item (4-3) are guaranteed. Additionally, since 
a message digest is output as a verification result, it is 
possible to manage a record of which transaction the 
verification was made for. 

[0056] According to the portable electronic device of 
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access other systems later. 

[0064] In a second embodiment of the present inven- 
tion, since a public key system is employed in data com- 
munication between a portable electronic device (an IC 
card in the present embodiment) and an external data 
processing device (an IC card terminal in the present 
embodiment), a high level of security ability is guaran- 
teed at inputting to-be-verified biometric feature data to 
the portable electronic device and at outputting the re- 
sult of biometric feature data verification, which has 
been performed in the portable electronic device, to the 
portable electronic device, thereby realizing secure user 
verification. 

[0065] More precisely, in the second embodiment, the 
IC card also has pre-stored valid biometric feature data, 
which has been extracted from biometric information of 
the authorized user of the IC card. The user (authorized 
user) of the IC card inputs biometric information of his 
own to the IC card terminal, which then processes the 
input biometric information to extract biometric feature 
data. The thus extracted to-be-verified biometric feature 
data is input from the IC card terminal to the IC card. At 
that time, the to-be-verified biometric feature data is en- 
coded using a public key before it is sent out to the IC 
card. 

[0066] Then, if predetermined matching requirements 
are satisfied between the to-be-verified biometric fea- 
ture data and the valid biometric feature data, indicating 
that the to-be-verified biometric feature data matches 
the valid biometric feature data, the IC card merges a 
message digest which is attached to the to-be-verified 
biometric feature data, the biometric feature data verifi- 
cation result (the degree of correlation), the date and 
time the verification was performed, and user informa- 
tion about the authorized user of the IC card. Those 
merged items are encoded with a valid secret key for 
the IC card, and the encoded data is then sent out to the 
IC card terminal as a verification result. 
[0067] In this manner, since the second embodiment 
employs biometric user verification, without relying on a 
password, it is possible to provide a user verification 
technique suited to a tamper-resistant IC card. Further, 
since the biometric feature data is encoded using a pub- 
lic key system before the data is transmitted to the IC 
card, it is possible to protect the IC card from counterfeit 
biometric feature data. 

[0068] Further, in the second embodiment, the result 
of the verification performed on the IC card is encoded 
using the valid secret key stored in the IC card before it 
is sent out to an external apparatus, and the user veri- 
fication is performed within the IC card, so that the valid 
biometric feature stored the IC card is never sent out to 
an external apparatus, and that a verification result is 
never entered from an external apparatus to the IC card. 
It is thus possible to reduce with certainty the possibility 
of fraudulent use. 

[0069] At that time, if a verification result undergoes 
PKI (public key infrastructure) processing before it is 



output from the IC card to an external apparatus, or if a 
message digest is created and attached to the verifica- 
tion result, it is possible to lower the possibility of the 
verification result being tampered with or counterfeited 
5 with further certainty. 

[1] First Embodiment: 

[0070] FIG. 1 is a block diagram showing a user ver- 

io ification system of a first embodiment of the present in- 
vention. As shown in FIG. 1, user verification system 
100 includes IC card (portable electronic device) 300 
serving as a debit card, IC card terminal (external data 
processing device) 200 which receives IC card 300 and 

15 makes a direct access to the IC card 300, and host com- 
puter (management device) 400 which accesses the IC 
card 300 via the IC card terminal 200 to carry out user 
verification utilizing a personal identification number 
(PIN) as to the authorized user of the IC card 300. 

20 [0071 ] Host computer 400 belongs to a bank. The au- 
thorized user has a bank account in the bank, and when 
he uses IC card 300 as a debit card, his money is sub- 
tracted from the bank account. In practical use, such a 
debit card is used in combination with an external data 

25 processing device such as a debit card terminal (IC card 
terminal 200, here). This external data processing de- 
vice is connected with host computer 400, which man- 
ages the balances of bank accounts, via a communica- 
tions network. 

30 [0072] IC card terminal 200 has a slot (not shown) into 
which IC card 300 is to be inserted. IC card 300 is in- 
serted into the slot, whereupon transceiving interface 
205 (first transceiving interface) of the IC card terminal 
200 comes into contact with transceiving interface (sec- 

35 ond transceiving interface) 301 of the IC card 300, there- 
by allowing the IC card terminal 200 and the IC card 300 
to send/receive data therebetween. In the first embodi- 
ment, transceiving interfaces 205 and 301 are contact- 
type interfaces. The present invention should by no 

to means be limited to the above, and it is also possible to 
use contactless interfaces. 

[0073] IC card terminal 200 has biometric information 
measuring unit 201, biometric feature data extracting 
section 202, time stamp generating section 203, data 
45 encryption section (first encryption section) 204, and 
transceiving interface 205. 

[0074] Biometric information measuring unit 201 
measures and samples biometric information of an ob- 
ject user, for example, a person who inserted the IC card 

50 300 into the IC card terminal 200 (this is normally the 
authorized user of the IC card 300). The biometric infor- 
mation to be sampled may be image data such as a fin- 
gerprint, iris pattern, facial pattern, retina pattern, blood 
vessel pattern, hand shape, signature, and ear shape. 

55 it may otherwise be time-series data such as voice, key- 
strokes, and signature dynamics. For example, in a case 
of sampling the object user's fingerprint, biometric infor- 
mation measuring unit 201 should include a fingerprint 
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which has been calculated by clock function section 
304, and evaluates whether or not the difference be- 
tween them is within a predetermined range (for exam- 
ple, a predetermined value or lower). 
[0086] PIN register section 308 and user information 
register section 309 serve as a user information storage 
unit. PIN register section 308 has a pre-stored persona! 
identification number (password), which is requested to 
be input when IC card 300 attempts to access host com- 
puter 400. With a conventional debit card, a user has to 
manually input such a personal identification number 
(PIN) with a ten-key pad. User information register sec- 
tion 309 has a pre-stored account number (bank ac- 
count number, user number) of a bank account from 
which the amount spent should be subtracted, when IC 
card 300 is used as a debit card. 
[0087] Verification log recording section 310 holds a 
verification log for a limited time period. The verification 
log contains the results of the verification carried out by 
biometric feature data verifying section 302 and by time 
stamp verifying section 307, and also contains the date 
and time the verification was performed (hereinafter 
called the "verification date-and-time"), which date and 
time has been obtained by clock function section 304. 
[0088] IC card-dedicated public key register section 
312, as described above, has a pre-stored public key 
(predetermined public key information) for an IC card 
300, with which public key data encryption section 204 
of IC card terminal 200 encodes to-be-verified biometric 
feature data and a time stamp. Upon receipt of a prede- 
termined signal (certain command) through transceiving 
interface 301, IC card 300 transmits the public key 
stored in IC card-dedicated public key register section 
312, from transceiving interface 301 to IC card terminal 
200 (or host computer 400). 

[0089] When the PIN is transmitted to host computer 
400 as a verification result (will be described later), man- 
agement log recording section 317 records, as a man- 
agement log, the date and time the PIN was sent out, 
or the content of the transaction performed, or both of 
these. 

[0090] At that time, the foregoing biometric feature da- 
ta register section 302, secret key register section 303, 
PIN register section 308, user information register sec- 
tion 309, verification log recording section 31 0, IC card- 
dedicated public key register section 312, and manage- 
ment log recording section 31 7 are realized, in practical 
use, by a storage unit such as a ROM and a RAM inter- 
nally equipped in IC card 300. 

[0091] The foregoing clock function section 304, data 
encryption/decryption section 305, biometric feature da- 
ta verifying section 306, and time stamp verifying sec- 
tion 307 are realized, in practical use, by a CPU built in 
IC card 300. 

[0092] Next, an operation of user verification system 
100 of the first embodiment will be described hereinbe- 
low, with reference to the flowchart of FIG. 2. 
[0093] When using IC card 300 as a debit card, a user 



(object person to be verified) puts the IC card 300 into 
the slot of IC card terminal 200, and then presses his 
fingertip to a fingerprint input screen, if his fingerprint 
image data is requested to be entered as the biometric 

5 information for use in user verification. 

[0094] Biometric information measuring unit 201 of IC 
card terminal 200 measures the user's biometric infor- 
mation (fingerprint image data) (step S11). From the bi- 
ometric information, biometric feature data extracting 

10 section 202 extracts to-be-verified biometric feature da- 
ta, and time stamp generating section 203 generates the 
date and time (time stamp) the to-be-verified biometric 
feature data was extracted, and the time stamp is at- 
tached to the to-be-verified biometric feature data (step 

15 S12). 

[0095] The to-be-verified biometric feature data, 
along with the time stamp attached thereto, is encoded 
by data encryption section 204 using a public key for IC 
card 300 (step S13). The public key for IC card 300, as 

20 described above, is read out from IC card-dedicated 
public key register section 312 of IC card 300. Upon re- 
ceipt of a specific command (predetermined signal), the 
IC card-dedicated public key register section 312 allows 
the public key to be read out therefrom, and the read- 

25 out public key is sent out from IC card 300 to IC card 
terminal 200. Since this key for use in encryption, which 
is sent out from IC card 300 to IC card terminal 200, is 
a public key it does not matter if the key is sent out in 
response to a simple command. 

30 [0096] After that, the to-be-verified biometric feature 
data encoded by data encryption section 204 using the 
public key, is transferred/transmitted, along with the time 
stamp attached thereto, from transceiving interface 205 
to IC card 300 (step S14). 

35 [0097] When IC card 300 receives encoded data via 
transceiving interface 301 , data encryption/decryption 
section 305 restores the encoded data, using a valid se- 
cret key, into the original to-be-verified biometric feature 
data and time stamp (step S15). Biometric feature data 

to verifying section 306 first compares the to-be-verified 
biometric feature data with the valid biometric feature 
data (step S16). 

[0098] As a result of the comparison, if the level of 
correlation (the degree of the matching) between the to- 

•*5 be-verified biometric feature data and the valid biometric 
feature data is below a predetermined value (NO route 
of step S1 7), the object person is judged not to be the 
authorized user of the IC card 300 (step S22), and a 
predetermined action (for example, locking the card) is 

50 taken. 

[0099] Otherwise, if the level of correlation (the de- 
gree of the matching) between the to-be-verified biomet- 
ric feature data and the valid biometric feature data is a 
predetermined value or higher (YES route of step S17), 
55 time stamp verifying section 307 compares the time 
stamp restored by data encryption/decryption section 
305 with the current time calculated by clock function 
section 304 (step S18). 
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invention is applied to IC card 300 that serves as a debit 
card. The present invention should by no means be lim- 
ited to the above, and IC card terminal 200 can be re- 
placed with an IC card reader and host computer 400 
can be replaced with a personal computer (PC), thereby 5 
enabling the application of the present invention to a 
system for controlling access to the PC. 

[1-1] First Modified Example of the First Embodiment: 

w 

[0113] FIG. 3 is a block diagram showing a structure 
of a user verification system according to a first modifi- 
cation of the first embodiment of the present invention. 
Like reference numbers designate similar parts or ele- 
ments throughout several views of the present embod- 15 
iment, so their detailed description is omitted here. 
[0114] As shown in FIG. 3, in user verification system 
100A of the first modification of the first embodiment 
the following functions are added to IC card 300 of user 
verification system 1 00 of FIG. 1 . 20 
[0115] In other words, user verification system 100A 
is an advanced version of user verification system 1 00. 
In user verification system 100A, a PIN and an account 
number are encoded using a public key for host compu- 
ter 400, before they are transmitted to host computer 25 
400. At the time the PIN and the account number are 
encoded, a time stamp (verification date-and-time) is 
added to them. 

[0116] For this purpose, IC card 300 of user verifica- 
tion system 100A includes host computer-dedicated 30 
public key register section (management device-dedi- 
cated public key register section) 311 , which has a pre- 
stored public key for host computer 400. Such a host 
computer-dedicated public key register section 311 is, 
in practical use, realized by an internal storage unit, 35 
such as a ROM and a RAM, of IC card 300. 
[0117] In IC card 300 of user verification system 100A, 
if an object person is judged to be the authorized user 
of portable electronic device 300, as a result of the ver- 
ification carried out by biometric feature data verifying *o 
section 306 and time stamp verifying section 307, the 
date and time the verification was performed is obtained 
by clock function section 304, and the verification date- 
and-time is added to the PIN and the account number 
to be transmitted to host computer400, as a time stamp. 45 
[0118] The foregoing data encryption/decryption sec- 
tion 305 encodes the PIN and the account number to be 
transmitted to host computer 400, along with the time 
stamp (the verification date-and-time) , using a public 
key for host computer 400. 

[01 1 9] Referring now to the flowchart of FIG . 4, a de- 
scription will be made hereinbelow of an operation of 
user verification system 1 00A of the first modification to 
the first embodiment. Like step numbers designate the 
same processing as in FIG. 2, so their detailed descrip- 
tion is omitted here. 

[01 20] If the object person is judged to be the author- 
ized user of portable electronic device 300 in step S20, 



clock function section 304 obtains the date and time 
when the verification was performed, and the verifica- 
tion date-and-time is attached, as a time stamp, to the 
PIN and the account number to be transmitted to host 
computer 400 (step S31 ). 

[01 21 ] After that, the PIN and the account number are 
encoded by data encryption/decryption section 305 with 
a public key for host computer 400 (step S32), and then 
transmitted/transferred from transceiving interface 301 
to host computer 400 via transceiving interface 205 of 
IC card terminal 200 (step S33). 

[0122] User verification system 1 00A of the first mod- 
ification of the first embodiment guarantees similar ef- 
fects and benefits to those already described in the first 
embodiment. Additionally, even if the verification re- 
sults, including the PIN, are intercepted by undesirable 
parties during their transmission to an external appara- 
tus, it is still difficult for those third parties to wrongfully 
use the stolen PIN in another system, because the ver- 
ification results (a PIN, an account number, the verifica- 
tion date-and-time, and so on) have been encoded us- 
ing the public key for host computer 400 before they are 
sent out from IC card 300 to host computer 400. Thus 
the security level of the system is significantly improved. 
[0123] As to a verification result transmitted to host 
computer 400 in user verification system 100A, the re- 
sult contains the date and time the verification was per- 
formed, which has been attached to the verification re- 
sult as a time stamp. As a result, even if the verification 
result (PIN) should be intercepted and then wrongfully 
used, host computer 400, which monitors the verifica- 
tion date-and-time attached to the PIN, can recognize 
that a wrongfully obtained PIN is used, based on the dif- 
ference between the verification date-and-time (time 
stamp) and the current time. 

[0124] More precisely, if such a stolen PIN is used to 
access host computer 400, the difference between the 
verification date-and-time (time stamp) and the current 
time inevitably becomes great. Host computer 400 uses 
this trait to evaluate whether or not the object PIN is an 
intercepted one, and upon recognition of the stolen PIN, 
host computer 400 rejects the access attempt. It is thus 
difficult to reuse the stolen PIN, so that a higher level of 
security is guaranteed. It is difficult to reuse the same 
data. 

[1-2] Second Modified Example of the First 
embodiment: 

[0125] FIG. 5 is a block diagram showing a structure 
of a user verification system according to a second mod- 
ification to the first embodiment of the present invention. 
Like reference numbers designate similar parts or ele- 
ments throughout several views of the present embod- 
iment, so their detailed description is omitted here. 
[0126] As shown in FIG. 5, in user verification system 
1 00B of the second modification of the first embodiment, 
the following functions (of magnetic data read-out unit 
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[0143] In this manner user verification system 100C 
of the third modification of the first embodiment guaran- 
tees similar effects and benefits to those already de- 
scribed in the second modification to the first embodi- 
ment. Additionally, if biometric feature data verifying 
section 306 obtains the comparison result a predeter- 
mined times consecutively that the matching condition 
between the to-be-verified biometric feature data and 
the valid biometric feature data is not satisfied, IC card 
lock section 314 locks IC card 300 to prohibit the input- 
ting of biometric feature data to IC card 300 ; thereby 
preventing unauthorized accessing with reliability. 

[2] Second embodiment: 

[0144] FIG. 9 is a block diagram showing a structure 
of a user verification system according to a second em- 
bodiment of the present invention. Like reference num- 
bers designate similar parts or elements throughout 
several views of the present embodiment, so their de- 
tailed description is omitted here. 
[0145] As shown in FIG. 9, user verification system 
500 of the second embodiment includes IC card (porta- 
ble electronic device) 300, IC card terminal (external da- 
ta processing device) 200 which receives IC card 300 
and makes a direct access to the IC card 300. IC card 
300 of the second embodiment may optionally have a 
function of a debit card, as in the case of the first em- 
bodiment. 

[0146] IC card terminal 200 of the second embodi- 
ment, as in the case of the first embodiment, has a slot 
(not shown) for receiving IC card 300. At an instant IC 
card 300 is inserted into this slot, transceiving interface 
(first transceiving interface) 205 of IC card terminal 200 
comes into contact with transceiving interface (second 
transceiving interface) 301 of IC card 300, so that data 
can be transmitted/received between IC card terminal 
200 and IC card 300. In the second embodiment, also, 
transceiving interfaces 205, 301 are contact-type inter- 
faces. The present invention, however, should by no 
means be limited to this, contactless interfaces can also 
be available. 

[01 47] IC card terminal 200 has biometric information 
measuring unit 201 , biometric feature data extracting 
section 202, data encryption section (first encryption 
section) 204, and transceiving interface 205. 
[0148] Biometric information measuring unit 201 , as 
in the case of the first embodiment, measures/samples 
biometric information of an object user, a person who 
inserted IC card 300 into the slot of IC card terminal 200 
(probably the authorized user of IC card 300). Biometric 
feature data extracting section 202, as in the case of the 
first embodiment, extracts to-be-verified biometric fea- 
ture data from the biometric information measured by 
biometric information measuring unit 201 . As to biomet- 
ric information and biometric feature data to be extract- 
ed from the biometric feature data, similar kinds of bio- 
metric data to those described in the first embodiment 



are used, so their detailed description is omitted here. 
[0149] Data encryption section 204 encodes the to- 
be-verified biometric feature data extracted by biometric 
feature data extracting section 202, using a public key 
5 for IC card 300. At that time, as in the first embodiment, 
the public key for IC card 300 is provided by a host com- 
puter (not shown; the one separate from host computer 
400) connected with IC card terminal 200, or it is pro- 
vided by IC card 300 in response to a specific command 
io (predetermined signal) issued to IC card 300. In the sec- 
ond embodiment, also, IC card-dedicated public key 
register section 312 of IC card 300 has a public key for 
IC card 300, and IC card terminal 200 issues the specific 
command to IC card 300 to obtain the public key. 
[0150] As in the foregoing description, transceiving in- 
terface 205 comes into contact with transceiving inter- 
face 301 of IC card 300, thereby enabling data commu- 
nication between IC card terminal 200 and IC card 300. 
[0151] IC card 300 of the second embodiment, as of 
the first embodiment, has a built-in storage unit such as 
a ROM and a RAM, and also contains a CPU which car- 
ries out processing based on the data stored in the stor- 
age unit and signals received from an external appara- 
tus. IC card 300 includes transceiving interface 301 , bi- 
ometric feature data register section 302, secret key 
register section 303, data encryption/decryption section 
(serving both as a second encryption section and as a 
decryption section) 305, biometric feature data verifying 
section 306, and IC card-dedicated public key register 
section 312. 

[0152] Transceiving interface 301 , as in the foregoing 
description, comes into contact with transceiving inter- 
face 205 of IC card terminal 200, thereby enabling data 
communication between IC card terminal 200 and IC 
card 300. 

[0153] Biometric feature data register section 302 has 
pre-stored valid biometric feature data of the authorized 
user of IC card 300. This valid biometric feature data is 
registered, for example, when IC card 300 is initially is- 
sued, in the similar way to that described in the first em- 
bodiment. 

[0154] As in the first embodiment, secret key register 
section 303 has a pre-stored registered secret key cor- 
responding to the public key for IC card 300. 
[01 55] Data encryption/decryption section 305 serves 
both as a decryption section and as an encryption sec- 
tion (second encryption section). Serving as the former 
data encryption/decryption section 305 decodes the da- 
ta received from an external apparatus through trans- 
ceiving interface 301 , using the valid secret key regis- 
tered in secret key register section 303. Serving as the 
latter, data encryption/decryption section 305 encodes 
data to be transmitted to host computer 400, using the 
public key for the host computer 400. In the second em- 
bodiment, however, data encryption/decryption section 
305 functions only as a decryption section, and its func- 
tion as an encryption section is used in first through third 
modified examples of the second embodiment. Here, as 
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301 , the public key stored in IC card-dedicated public 
key register section 312 is read out and is then sent out 
to an external apparatus. Thus : it is possible for IC card 
terminal 200 to use the public key stored in IC card 300 
in encryption, with no necessity for IC card terminal 200 
to store any public key for IC card 300. 
[0171] The foregoing description of the first embodi- 
ment was made on a case where a portable electronic 
device is an IC card, and a data processing device is an 
IC card terminal. The present invention should by no 
means be limited to this,, and it is also applicable to other 
technical fields, such as automatic teller machines 
(ATMs), credit card terminals, and PC access -managing 
systems. 

[2-1] First Modified Example of the Second 
embodiment: 

[0172] FIG. 1 1 is a block diagram showing a structure 
of a user verification system according to a first modifi- 
cation to the second embodiment of the present inven- 
tion. Like reference numbers designate similar parts or 
elements throughout several views of the present em- 
bodiment., so their detailed description is omitted here. 
[0173] As shown in FIG. 11 , in user verification system 
500A of the first modification of the second embodiment, 
the following functions are added to IC card terminal 200 
and IC card 300 of user verification system 500 of FIG. 9. 
[01 74] IC card terminal 200 has time stamp generat- 
ing section 203 which generates a time stamp as the 
date and time biometric feature data extracting section 
202 extracted the to-be-verified biometric feature data. 
Data encryption section 204 then encodes the to-be- 
verified biometric feature data, which has been extract- 
ed by biometric feature data extracting section 202, 
along with the time stamp (the date and time the to-be- 
verified biometric feature data was extracted; herein af- 
ter called the "verification date-and-time"), which has 
been generated by time stamp generating section 203, 
using a public key for IC card 300. Transceiving inter- 
face 205 sends out the to-be-verified biometric feature 
data, which has been encoded in a state that a time 
stamp is attached thereto. 

[01 75] IC card 300 has clock function section 304 and 
time stamp verifying section 307. The functions of these 
clock function section 304 and time stamp verifying sec- 
tion 307 are, in practical use, realized by a CPU built in 
IC card 300. 

[0176] Clock function section 304 calculates the cur- 
rent time. Time stamp verifying section 307 compares 
the time stamp restored by data encryption/decryption 
section 305 with the current time calculated by clock 
function section 304, and then evaluates whether or not 
the difference therebetween falls within a predeter- 
mined range (e.g., a predetermined value or smaller). 
[0177] Referring now to the flowchart of FIG. 12, a de- 
scription will be made hereinbelow of an operation of 
user verification system 500A of the first modification to 



the second embodiment. Like step numbers designate 
the same processing as in FIG. 2, so their detailed de- 
scription is omitted here. As is apparent from the com- 
parison between FIG. 2 and FIG. 12, the operation in 

5 the first modification of the second embodiment is nearly 
the same as the operation in the first embodiment, ex- 
cept that the outputting of the verification results (user 
number and PIN) (step S21) is not executed in the first 
modification of the second embodiment. 

10 [0178] A user (object person to be verified) puts the 
IC card 300 into the slot of IC card terminal 200, and 
then presses his fingertip to a fingerprint input screen, 
if his fingerprint image data is requested to be input as 
biometric information for use in user verification. 

1 5 [0179] Biometric information measuring unit 201 of IC 
card terminal 200 measures the user's biometric infor- 
mation (fingerprint image data) (step S11). From the bi- 
ometric information, biometric feature data extracting 
section 202 extracts to-be-verified biometric feature da- 
20 ta, and time stamp generating section 203 generates the 
date and time (time stamp) the to-be-verified biometric 
feature data was extracted, and the time stamp is at- 
tached to the to-be-verified biometric feature data (step 
S12). 

25 [0180] The to-be-verified biometric feature data, 
along with the time stamp attached thereto, is encoded 
by data encryption section 204 using a public key for IC 
card 300 (step S13), and is then transferred/transmitted 
from transceiving interface 205 to IC card 300 (step 

30 S14). 

[0181] When IC card 300 receives encoded data via 
transceiving interface 301 , data encryption/decryption 
section 305 restores the encoded data, using a valid se- 
cret key, into the original to-be-verified biometric feature 
35 data and time stamp (step S1 5). Biometric feature data 
verifying section 306 first compares the to-be-verified- 
biometric feature data with the valid biometric feature 
data (step S1 6). 

[0182] As a result of the comparison, if the level of 
40 correlation (the degree of the matching) between the to- 
be-verified biometric feature data and the valid biometric 
feature data is below a predetermined value (NO route 
of step S17), the object person is judged not to be the 
authorized user of the IC card 300 (step S22), and a 
45 predetermined action (for example, locking the card) is 
taken. 

[0183] Otherwise, if the level of correlation (the de- 
gree of the matching) between the to-be-verified biomet- 
ric feature data and the valid biometric feature data is a 

so predetermined value or higher (YES route of step S1 7), 
time stamp verifying section 307 compares the time 
stamp restored by data encryption/decryption section 
305 with the current time calculated by clock function 
section 304 (step S18). 

55 [0184] As a result of the comparison, if the difference 
between the time stamp (the extraction date-and-time) 
and the current time exceeds a predetermined value 
(NO route of step S19), the object person is judged not 
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of the second modification of the second embodiment 
guarantees similar effects and benefits to those already 
described in the first modification of the second embod- 
iment. Additionally, the verification result to be provided 
is not a simple "OK" or "NG" signal., but the following are 
provided after their being encoded with the valid secret 
key stored within IC card 300: user information; the level 
of correlation between to-be-verified biometric feature 
data and valid biometric feature data; and the verifica- 
tion date-and-time. The encoded data is sent out to IC 
card terminal 200 via transceiving interface 301 . 
[0200] In other words, the verification result to be sent 
out is the information more complicated than the simple 
"OK'V'NG" signal, and the information is encoded using 
the secret key before it is sent out. It thus becomes dif- 
ficult to tamper with such complicated information, in 
comparison with the simple "OKTNG" signal. In addi- 
tion, the issuer of the verification result can be certified. 
Further, the verification date-and-time (time stamp) is 
inserted into the verification result, making it difficult to 
use the verification result in another system. It is thus 
possible to surely prevent the result of verification of bi- 
ometric feature data from being tampered with or falsi- 
fied. 

[0201] Accordingly, even when the result of the veri- 
fication of biometric feature data, obtained within IC card 
300, is sent out to an external apparatus, a high level of 
security can be guaranteed, thus realizing safe user ver- 
ification. At that time, since the level of correlation be- 
tween the to-be-verified biometric feature data and the 
valid biometric feature data is provided as a verification 
result, it is possible to manage the record of with what 
degree of certainty the user authentication was estab- 
lished. 

[0202] Further, in user verification system 500B, ver- 
ification log recording section 310 of IC card 300 stores 
the verification results (OK/NG) obtained by biometric 
feature data verifying section 306 and time stamp veri- 
fying section 307, and it also holds the result of the merg- 
ing in step S51 for a predetermined time period. Thus, 
a record of the user verification performed is stored in 
IC card 300. 

[2-3] Third Modified Example of the Second 
Embodiment: 

[0203] FIG. 1 5 is a block diagram showing a structure 
of a user verification system according to a third modi- 
fication to the second embodiment of the present inven- 
tion. Like reference numbers designate similar parts or 
elements throughout several views of the present em- 
bodiment, so their detailed description is omitted here. 
[0204] As shown in FIG. 15, in user verification sys- 
tem 500C of the third modification to the second embod- 
iment, the following functions are added to IC card ter- 
minal 200 and IC card 300 of user verification system 
500Bof FIG. 13. 

[0205] More precisely, IC card terminal 200 includes 



electronic billing section 207 and message digest cre- 
ating section 208. 

[0206] Electronic billing section 207 creates an elec- 
tronic bill (transfer data) to be attached to to-be-verified 

5 biometric feature data, when the to-be-verified biometric 
feature data is sent out to IC card 300. Message digest 
creating section 208 generates a message digest, a val- 
ue which is obtained by inputting the electronic bill 
(transfer data) created by electronic billing section 207 

10 into a predetermined one-way function. 

[0207] The message digest, which has been created 
by message digest creating section 208, is encoded by 
data encryption section 204 together with the to-be-ver- 
ified biometric feature data, and is then transmitted from 

15 transceiving interface 205 to IC card 300. 

[0208] Further, IC card 300 has a function of message 
digest receiving section 316. Message digest receiving 
section 31 6 receives a message digest that is restored 
by data encryption/decryption section 305. 
20 [0209] Referring now to the flowchart of FIG. 1 6, a de- 
scription will be made hereinbelow of an operation of 
user verification system 500B of the third modification 
to the second embodiment. 

[0210] In user verification system 500C, after an ob- 
25 ject user is verified following the flowchart of FIG. 1 0 or 
FIG. 12, that is, after step S20, the following are merged 
as verification data (verification results) (step S61) : (1) 
user information, such as user number, stored in user 
information register section 309; (2) the level of correla- 
te tion between to-be-verified biometric feature data and 
valid biometric feature data, which correlation level has 
been obtained by biometric feature data verifying sec- 
tion 306; (3) verification date-and-time obtained by clock 
function section 304; and (4) a message digest received 
35 by message digest receiving section 316. 

[0211] After that, data encryption/decryption section 
305 encodes the verification data using the valid secret 
key stored in secret key register section 303 (step S62), 
and the encoded data is then sent out from transceiving 
40 interface 301 to IC card terminal 200 (step S63). 

[0212] Here, in step S61, the foregoing data of (1) 
through (4) may further be merged with another mes- 
sage digest newly generated within IC card 300 and with 
the date and time the transaction permission was given 
45 to this message digest. 

[0213] In this manner, user verification system 500C 
of the third modification of the second embodiment guar- 
antees similar effects and benefits to those already de- 
scribed in the second modification of the second em- 
so bodiment. Additionally, since a message digest is trans- 
mitted to IC card terminal 200 as a verification result, it 
is possible to manage a record of which transaction the 
verification was made for. 

[0214] In step S61 , the foregoing data of (1) through 
55 (4) may further be merged with another message digest 
newly generated within IC card 300 and with the date 
and time the transaction permission was given to this 
message digest. In this case, it is possible to reduce the 
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processing device (200). 

2. A user verification system according to claim 1 . 

wherein said data processing device (200) 
further includes a first encryption section (204) for 5 
encoding said to-be-verified biometric feature data 
with a public key. 

wherein said portable electronic device (300) 
further includes: 

10 

a secret key register section (303) having a pre- 
stored valid secret key corresponding to said 
public key; and 

a decryption section (305) for decoding encod- 
ed data ; which is received from an external de- is 
vice via said second transceiving interface 
(301 ) : with said valid secret key, 

wherein said to-be-verified biometric feature 
data encoded by said first encryption section (204) 20 
is transmitted from said first transceiving interface 
(205) to said portable electronic device (300) : as 
said encoded data, and 

wherein said decryption section (305) de- 
codes said encoded data, which has been received 25 
via said second transceiving interface (301), into 
the original to-be-verified biometric feature data, 
which is then compared with said valid biometric 
feature data by said biometric feature data verifying 
section (306). 30 

3. A user verification system according to claim 1 , 
wherein said portable electronic device (300) fur- 
ther includes: 

35 

a made-for-management-device public key 
register section (31 1 ) having a pre-stored pub- 
lic key dedicated to said management device 
(400); and 

a second encryption section (305) for encoding 40 
said PIN with said made-for-management-de- 
vice public key before said PIN is sent out to 
said management device (400). 

4. A user verification system according to claim 1 , 45 

wherein said portable electronic device (300) 
further includes a recording unit provided on its sur- 
face, said recording unit storing magnetic data on 
information for use in processing carried out by said 
management device (400), so 

wherein said data processing device (200) 
further includes a magnetic data read-out unit (206) 
for reading out said magnetic data stored in said re- 
cording unit, and 

wherein said magnetic data, which has been 55 
readout by said magnetic data read-out unit (206), 
is sent out, together with said PIN, from said first 
transceiving interface (205) to said management 



device (400). 

5. A user verification system according to claim 3 : 

wherein said data processing device (200) 
further includes a time stamp generating section 
(203) for generating a time stamp as the date and 
time when said biometric feature data extracting 
section (202) has extracted said to-be-verified bio- 
metric feature data, 

wherein, said time stamp is encoded, together 
with said to-be-verified biometric feature data, by 
said first encryption section (204), and the encoded 
time stamp is then sent out from said first transceiv- 
ing interface (205) to said portable electronic device 
(300), 

wherein said portable electronic device (300) 
further includes: 

a clock function section (304) for calculating the 
current time; and 

a time stamp verifying section (307) for com- 
paring the original time stamp, which has been 
restored by said decryption section (305), with 
said current time, which has been calculated by 
said clock function section (304), and 

wherein, if it is found, as the comparison result 
by said biometric feature data verifying section 
(306), that said to-be-verified biometric feature data 
matches said valid biometric feature data in terms 
of a predetermined matching condition, and also if 
it is found, as the comparison result by said time 
stamp verifying section (307), that a difference be- 
tween said time stamp and said current time falls 
within a predetermined range, said user is identified 
as said authorized user of said portable electronic 
device (300). 

6. A user verification system according to claim 5, 
wherein if said user is identified as said authorized 
user of said portable electronic device (300), as the 
comparison result by said biometric feature data 
verifying section (306) and said time stamp verifying 
section (307), said second encryption section (305) 
encodes both said PIN and the date and time of the 
comparison performed, which date and time is ob- 
tained by said clock function section (304), and the 
encoded PIN and the encoded date and time of the 
comparison are then sent out from said second 
transceiving interface (301) of said portable elec- 
tronic device (300) to said management device 
(400) via said first transceiving interface (205) of 
said data processing device (200). 

7. A user verification system according to claim 1 , 
wherein upon receipt of a predetermined signal via 
said second transceiving interface (301), saidport- 
able electronic device (300) transmits public key in- 
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ometric feature data has been extracted; 

if it is found., as the comparison result by said 
biometric feature data verifying section (306) : 
that said to-be-verified biometric feature data 5 
matches said valid biometric feature data in 
terms of a predetermined matching condition 
and also if it is found, as the comparison result 
by said time stamp verifying section (307), that 
a difference between said time stamp and said 10 
current time falls within a predetermined range, 
said user being identified as said authorized us- 
er of said portable electronic device (300). 

15. A portable electronic device according to claim 14, is 
wherein if said user is identified as said authorized 
user of said portable electronic device (300), as the 
comparison result by said biometric feature data 
verifying section (306) and said time stamp verifying 
section (307), said encryption section (305) en- 20 
codes both said PIN and the date and time of the 
comparison performed, which date and time is ob- 
tained by said clock function section (304), and the 
encoded PIN and the encoded date and time of the 
comparison are then sent out from said transceiving 25 
interface (301) to said management device (400). 

16. A portable electronic device according to claim 10, 
wherein upon receipt of a predetermined signal via 
said transceiving interface (301 ), said portable elec- 30 
tronic device (300) transmits public key information 

of said authorized user, which public key informa- 
tion is registered in said portable electronic device 
(300), from said transceiving interface (301) to an 
external device. 35 

17. A portable electronic device according to claim 10, 
further comprising a lock function section (314) 
which is operable to prohibit input of biometric fea- 
ture information to said portable electronic device 40 
(300), if the evaluation is made a predetermined 
number of times successively, as a result of the 
comparison by said feature data verifying section 
(306), that said to-be-verified biometric feature data 
never matches said valid biometric feature data in 45 
terms of said predetermined matching condition. 

18. A portable electronic device according to claim 10, 
further comprising a management log recording 
section (317) storing a management log of said PIN, so 
said management log accumulating the dates and 
times when said PIN has been transmitted, or de- 
scriptions of transactions performed, or both of 
these. 

55 

19. A user verification system, comprising: 

a portable electronic device (300), which is 



adapted to be carried by a user; and 
a data processing device (200) for directly ac- 
cessing such portable electronic device (300) 
which is temporarily installed therein, 
said data processing device (200) including: 

a biometric information measuring unit 

(201) for measuring biometric information 
of said user; 

a biometric feature data extracting section 

(202) for extracting to-be-verified biometric 
feature data from said biometric informa- 
tion, which has been measured by biomet- 
ric information measuring unit (201); 

a first encryption section (204) for encoding 
said to-be-verified biometric feature data 
with a public key; and 
a first transceiving interface (205) for trans- 
mitting/receiving data to/from said portable 
electronic device (300), 

said portable electronic device (300) including: 

a biometric feature data register section 
(302) having pre-stored valid biometric fea- 
ture data of an authorized user of said port- 
able electronic device (300) ; 
a second transceiving interface (301) for 
transmitting/receiving data to/from said da- 
ta processing device (200): 
a biometric feature data verifying section 
(306) for comparing to-be-verified biomet- 
ric feature data, which is received from an 
external device via said second transceiv- 
ing interface (301 ), with said valid biometric 
feature data; 

a secret key register section (303) having 
a pre-stored valid secret key correspond- 
ing to said public key; and 
a decryption section (305) for decoding en- 
coded data, which has been encoded with 
said public key, with said valid secret key, 

the encoded to-be-verified biometric feature 
data, which has been encoded by said first en- 
cryption section (204), being transmitted from 
said first transceiving interface (205) to said 
portable electronic device (300), 
said decryption section (305) decoding said en- 
coded data, which has been received via said 
second transceiving interface (301), into the 
original to-be-verified biometric feature data, 
and 

said biometric feature data verifying section 
(306) comparing the original to-be-verified bio- 
metric feature data with said valid biometric 
feature data. 
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26. A portable electronic device with a user verification 
function utilizing biometric information, said porta- 
ble electronic device, comprising: 

a biometric feature data register section (302) 
having pre-stored valid biometric feature data 
of an authorized user of said portable electronic 
device (300); 



if it is found, as the comparison result by said 
biometric feature data verifying section (306), 
that saidto-be-verified biometric feature data 
matches said valid biometric feature data in 
terms of a predetermined matching condition, 
and also if it is found, as the comparison result 
by said time stamp verifying section (307), that 
a difference between said time stamp and said 



current time falls within a predetermined range ; 
said user being identified as said authorized us- 
er of said portable electronic device (300). 

28. A portable electronic device according to claim 27 , 
further comprising: 

a user information register section (309) having 
pre-stored user information about said author- 
ized user of said portable electronic device 
(300); and 

an encryption section (305) for encoding data, 
which is to be transmitted from said transceiv- 
ing interface (301) to said data processing de- 
vice (200), with said valid secret key, 
as a result of comparison by said biometric fea- 
ture data verifying section (306) and said time 
stamp verifying section (307), if said user is 
identified as said authorized user of said port- 
able electronic device (300), said encryption 
section (305) encoding at least one of the fol- 
lowing items: said user information; the level of 
correlation between said to-be-verified biomet- 
ric feature data and said valid biometric feature 
data, which correlation level is obtained at the 
comparison; and the date and time of said com- 
parison performed, which is provided by said 
clock function section (304), and the encoded 
item being sent out from said transceiving in- 
terface (301) to said data processing device 
(200) as a verification result. 

29. A portable electronic device according to claim 28, 
wherein if said user is identified as said authorized 
user of said portable electronic device (300), as the 
comparison result by said biometric feature data 
verifying section (306) and said time stamp verifying 
section (307), and also if a message digest, which 
is obtained by inputting data to be transferred to 
said portable electronic device (300) to a predeter- 
mined one-way function, is attached to the original 
to-be-verified biometric feature data restored by 
said decryption section (305), said encoding sec- 
tion (305) encodes said message digest, and the 
encoded message digest is then sent out from said 
transceiving interface (301 ) to said data processing 
device (200) as a verification result. 

30. A portable electronic device according to claim 28, 
further including a verification log recording section 
(310) storing said verification results as a verifica- 
tion log for a predetermined time period. 

31. A portable electronic device according to claim 26, 
wherein upon receipt of a predetermined signal via 
said transceiving interface (301 ), said portable elec- 
tronic device (300) transmits public key information 
of said authorized user, which public key informa- 



a transceiving interface (301 ) for transmit- w 
ting/receiving data to/from an external de- 
vice; 

a biometric feature data verifying section 
(306) for comparing to-be-verified biomet- 
ric feature data, which is received from an 15 
external device via said transceiving inter- 
face (301 ), with said valid biometric feature 
data; 

a secret key register section (303) having 
a pre-stored valid secret key correspond- 20 
ing to said public key; and 
a decryption section (305) for decoding en- 
coded data, which has been encoded with 
said public key, with said valid secret key, 

25 

said decryption section (305) decoding said en- 
coded data, which has been received via said 
transceiving interface (301 ), into the original to- 
be-verified biometric feature data, and 
said biometric feature data verifying section 30 
(306) comparing the original to-be-verified bio- 
metric feature data with said valid biometric 
feature data. 

27. A portable electronic device according to claim 26, 35 
further comprising: 

a clock function section (304) for calculating the 
current time; and 

40 

a time stamp verifying section (307) for 
comparing a time stamp, if any, attached to 
the original to-be-verified biometric feature 
data restored by said decryption section 
(305), with said current time, which has 45 
been calculated by said clock function sec- 
tion (304), said time stamp indicating the 
date and time when said to-be-verified bi- 
ometric feature data has been extracted, 

50 



55 



EP 1 237 091 A1 



^-200 

/ 

/ 



FIG. 1 

100 



BIOMETRIC INFORMATION 
MEASURING UNIT 



201 



202 



BIOMETRIC FEATURE DATA 
EXTRACTING SECTION 



203 



TIME STAMP 
GENERATING 
SECTION 



DATA ENCRYPTION 
SECTION 






TRANS* 
INTEF 


3EIVING 
tFACE 



204 



205 



USER NO. 
& 
PIN 




400 



300 



IC CARD-DEDICATED PUBUC 
KEY REGISTER SECTION 



312 



SECRET KEY REGISTER 
SECTION 



BIOMETRIC FEATURE DATA 
REGISTER SECTION 



BIOMETRIC FEATURE DATA 
VERIFYING SECTION 



TRANSCEtVING INTERFACE 
305 \ 



303 



302 



306 



301 



DATA 

ENCRYPTION/DECRYPTION 
SECTION 



TIME STAMP VERIFYING 
SECTION 



307 



304 



CLOCK FUNCTION 
SECTION 



VERIFICATION LOG 
RECORDING SECTION 



USER INFORMATION 
REGISTER SECTION / 



PIN REGISTER 
SECTION 



310 
309 



r 



308 



MANAGEMENT LOG 
RECORDING SECTION 



V- 317 



31 



EP 1 237 091 A1 



FIG. 3 



— 200 



100A 



^—300 



BIOMETRIC 
INFORMATION 
MEASURING UNIT 



r 



BIOMETRIC FEATURE DATA \f 



EXTRACTING SECTION 



201 



202 



203 



TIME STAMP 
GENERATING 
SECTION 



DATA ENCRYPTION 
SECTION 



TRANSCEIVING 
INTERFACE 



204 



205 

















ENCODED 
USER NO. 
& 
PIN 






f 








HOST COMPUTER 
(BANK) 





IC CARD-DEDICATED PUBLIC 
KEY REGISTER SECTION 



if 



312 



SECRET KEY REGISTER 
SECTION 



BIOMETRIC FEATURE DATA 
REGISTER SECTION 



BIOMETRIC FEATURE DATA 
VERIFYING SECTION 



TRANSCEIVING INTERFACE 



305 



2^ 



T 



303 



302 



306 



301 



DATA 

ENCRYPTION/DECRYPTION 
SECTION 



TIME STAMP VERIFYING 
SECTION 



307 



304 



CLOCK FUNCTION 
SECTION 



VERIFICATION LOG 
RECORDING SECTION 



^310 



USER INFORMATION 
REGISTER SECTION f 309 



PIN REGISTER 
SECTION 



r 



308 



JL 



311 



HOST COMPUTER- 
DEDICATED PUBLIC KEY 
REGISTER SECTION 



317 



MANAGEMENT LOG 

RECORDING 
SECTION 



33 



1237091 A1 I > 



EP 1 237 091 A1 



FIG. 5 



200 



MAGNETIC DATA READ- \f 
OUT UNIT 



BIOMETRIC INFORMATION f 
MEASURING UNIT 



BIOMETRIC FEATURE DATA 
EXTRACTING SECTION 



if 



206 

201 

202 
203 



TIME STAMP 
GENERATING 
SECTION 



DATA ENCRYPTION 
SECTION 






I TRANS< 
INTEF 


3E1VING 
tFACE 



204 



205 



USER NO. 
& 

ENCODED 
PIN 



HOST COMPUTER 
(BANK) 



400 



100B 



..-.-300 



JC CARD-DEDICATED PUBLIC 
KEY REGISTER SECTION 



312 



SECRET KEY REGISTER 
SECTION 



BIOMETRIC FEATURE DATA 
REGISTER SECTION 



BIOMETRIC FEATURE DATA 
VERIFYING SECTION 



I 



TRANSCEIVING INTERFACE 

^-301 



305 



303 



302 



306 



DATA 

ENCRYPTION/DECRYPTION 
SECTION 



307 



TIME STAMP VERIFYING 
SECTION 



V 



304 



CLOCK FUNCTION 
SECTION 



VERIFICATION LOG 
RECORDING SECTION 



USER INFORMATION 
REGISTER SECTION 



r 



PIN REGISTER 
SECTION 



310 
309 



r 



308 



311 



HOST COMPUTER- 
DEDICATED PUBUC KEY 
REGISTER SECTION 



317 



MANAGEMENT LOG 
RECORDING 
SECTION 



35 



EP 1 237 091 A1 



FIG. 7 

1O0C 



200 



300 



MAGNETIC DATA READ- 
OUT UNfT 



V 



206 



BIOMETRIC INFORMATION 
MEASURING UNIT 



S 



201 



BIOMETRIC FEATURE DATA 
EXTRACTING SECTION 



if 



202 



203 



a. 



TIME STAMP 
GENERATING 
SECTION 



DATA ENCRYPTION 
SECTION 






TRANS( 
INTEF 


SEIVING 
IFACE 



204 



205 



USER NO. 
& 

ENCODED 
PIN 



HOST COMPUTER 
(BANK) 



400 



IC CARD LOCK SECTION 



314 



IC CARD -DEDICATED PUBLIC 
KEY REGISTER SECTION 



312 



SECRET KEY REGISTER 
SECTION 



BIOMETRIC FEATURE DATA 
REGISTER SECTION 



303 



BIOMETRIC FEATURE DATA 
VERIFYING SECTION 



VERIFICATION 
SQUMIEB SEGIlQj 



TRANSCEIVING INTERFACE 



305 



T 



302 



306 



301 



DATA 

ENCRYPTION/DECRYPTION 
SECTION 



307 



TIME STAMP VERIFYING 
SECTION 



304 



CLOCK FUNCTION 
SECTION 



VERIFICATION LOG 
RECORDING SECTION 



^310 



USER INFORMATION _ aoQ 
REGISTER SECTION > 



PIN REGISTER 
SECTIQN 



r 



308 



r 



311 



HOST COMPUTER- 
DEDICATED PUBLIC KEY 
REGISTER SECTION 



317 



MANAGEMENT LOG 
RECORDING SECTION 



<SD0CJD:<EP 1237091A1 I > 



37 



EP 1 237 091 A1 



FIG. 9 



.-200 



50O 



-300 



BIOMETRIC INFORMATION \f 
MEASU RING UNIT 

i 

V 



201 



BIOMETRIC FEATURE DATA 
EXTRACTING SECTION 



DATA EN( 
SEC 


DRYPTION 

noN 






TRANSCEIVING 
INTERFACE 



202 



204 



205 



I i 



IC CARD-DEDICATED PUBUC 
KEY REGISTER SECTION 



.-312 
^-303 



SECRET KEY REGISTER 
SECTION 



BIOMETRIC FEATURE DATA 
REGISTER SECTION 



-302 



306 



BIOMETRIC FEATURE DATA 
VERIFYING SECTION 



TRANSCEIVING INTERFACE 



V 



305 



301 



DATA 

ENCRYPTION/DECRYPTION 
SECTION 



39 

3D0CID: <EP 1237091A1J_> 



EP 1 237 091 A1 



FIG. 1 1 



200 



5 00 A 



^--300 



BIOMETRIC INFORMATION 
MEASURING UNIT 



V 



BIOMETRIC FEATURE DATA 
EXTRACTING SECTION 



201 



•202 



203 



TIME STAMP 
GENERATING 
SECTION 



DATA ENCRYPTION 
SECTION 



s 



TRANSCEIVING 
INTERFACE 



204 



205 



IC CARD-DEDICATED PUBLIC 
KEY REGISTER SECTION 



312 



SECRET KEY REGISTER 
SECTION 



BIOMETRIC FEATURE DATA 
REGISTER SECTION 



BIOMETRIC FEATURE DATA 
VERIFYING SECTION 



TRANSCEIVING INTERFACE 



305 



zL 



DATA 

ENCRYPTION/DECRYPTION 
SECTION 



TIME STAMP VERIFYING 
SECTION 



•303 



302 



•306 



301 



307 



CLOCK FUNCTION 
SECTION 



304 



1237091A1J_> 



41 



EP 1 237 091 A1 



FIG. 13 
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FIG. 15 
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